Using Overlay Networks to Resist Denial-of-Service Attacks

Transcription

1 Uing Overlay Network to Reit Denial-of-Service Attack Ju Wang an Anrew A. Chien Deartment of Comuter Science an Engineering Univerity of California, San Diego Abtract Proy-network bae overlay have been rooe to rotect Internet alication againt Denial-of-Service (DoS) attack by hiing an alication location. We evelo a formal framework which moel attack, efenive mechanim, an roy network. We ue the framework to analyze the general effectivene of roy network cheme to rotect alication. Uing our formal moel, we analytically characterize how attack, efenive cheme, an roy network toology affect the ecrecy of alication location an general reource availability. Our reult rovie guieline for the eign of roy network; the formal framework rovie a tool to tuy roblem in thi area. Our analyi how that roy network are a feaible aroach to revent infratructure-level DoS attack. Proy network eth an ytem reconfiguration are the key to achieving location hiing. Proy network toology alo ha an imortant imact -- rich connectivity in the roy network, a virtue in other circumtance, reuce effectivene in location hiing. Finally, to avoi reource eletion, reactive reource recoverie are inufficient; roactive cheme are neee. Keywor ecurity, availability, Denial-of-Service, overlay network INTRODUCTION Denial-of-ervice (DoS) attack are a major ecurity threat to Internet alication. Since 998, there have been a erie of large-cale itribute DoS attack which effectively hut own oular ite uch a Yahoo! an Amazon an the White Houe webite wa force to move to a ifferent location [-5]. Thee attack have eriou economic imact an olitical reercuion, an may even threaten critical infratructure an national ecurity [6-8]. Alication Service Service Infratructure Uer Internet Figure Eamle of Internet Alication In a Denial-of-Service attack, attacker can make the victim alication unavailable to legitimate uer by overloaing the alication with floo of network traffic or large amount of workloa. DoS attack can be categorize a infratructure level or alication level attack. how a tyical Internet alication eloyment. The alication ervice run on a et of interconnecte hot, which i the ervice infratructure; uer acce it via the Internet. Infratructure-level attack overloa the ervice infratructure, for eamle, by ening acket floo to aturate the victim network. In thi cae, attacker can effectively DoS an alication without any knowlege of it ecet for it IP are. Alication-level attack caue enial-of-ervice by requeting large amount of work at the alication level or by eloiting weaknee in the alication. Many Internet alication are ublicly acceible, o they are eay target for infratructure-level DoS attack. We are eloring the ue of overlay roy network to tolerate infratructure-level attack. The key iea i to hie the Internet alication behin a roy network, which i an overlay network (Figure ). All accee to the alication are meiate through the roy network. Since only alication level traffic can a through the roy network, infratructure level attack are no longer oible a long a the IP are of the alication can be ecurely hien. Furthermore, the roy network nee to run on a large reource ool an be highly itribute an fault tolerant, o it can by itelf tolerate DoS attack an hiel alication. The eence of thi aroach i the following. It i har to make general alication highly itribute an DoS reitant. Therefore we buil roy network with uch caabilitie, which are eaier to buil an can be hare among alication. We ue them to hiel the alication. Mechanim uch a Network Are Tranlation (NAT) can alo hie the alication location. However, NAT boe are vulnerable to DoS attack, o they cannot hiel alication; we will nee network of NAT to reit attack. Current NAT technology oe not cale u to uort thi. Our roy network rovie a oible form of itribute NAT network. A key caability of roy network i location-hiing, which i a comonent of a comlete olution to DoS attack. It rovie a afety erio, uring which an alication location i ket ecret, an infratructure-level attack are revente. It can be combine with other mechanim uch a alication reconfiguration, reeloyment, or even mobility to effectively rotect alication againt infratructure-level attack. If alication can change their location within a afety erio, they can avoi DoS attack inefinitely. However, there i a high cot to reconfigure alication; therefore there i a trong benefit to have effective locationhiing cheme that can rovie long afety erio, reucing overhea an frequency of alication reconfiguration. Thi aer tuie the caability of roy network to rovie effective location-hiing.

2 We are not the only reearcher eloring the ue of roy network for enhancing alication ecurity. Other, uch a Secure Overlay Service (SOS) [9] an Internet Inirection Infratructure (i3) [], ue eiting overlay network uch a Chor [6] to hie the IP aree of imortant noe. To ate, we know of no moeling or effectivene analyi of thee aroache. Our analyi conier a general cla of roy network for location-hiing (SOS [9] an i3 [] are intance of the cla), an rovie an unertaning of what caabilitie are feaible, an the imortance of ifferent element of roy network eign. We believe uch analyi of roy network caabilitie can lea to better unertaning an eign guieline for the whole cla of location-hiing aroache. In thi aer, we buil a formal moel to characterize roy network, attack, an efenive mechanim incluing roy network reconfiguration an reource recovery cheme. We ue thi moel to tuy the effectivene of the roy network aroach. Uing the moel, we characterize the ifficulty for attacker to enetrate the roy network an icover alication location. We alo characterize how quickly reource can be comromie an the effectivene of reource recovery olicie uch a intruion etection-bae reactive cheme an roactive cheme that o not rely on etection. Our tuy lea to the following qualitative concluion:. Proy network with ranom roy migration can effectively hie alication IP aree; thereby reventing infratructure-level DoS attack.. Proy network eth an internal reconfiguration are critical to reventing attacker enetration. 3. The toology of roy network i imortant. Surriingly, rich connectivity, a virtue in other circumtance, can reuce a roy network ability to hie alication location. 4. Reactive technique for reource recovery are inufficient by themelve to avoi reource eletion. However, roactive cheme can uccefully revent reource eletion. The moel an qualitative reult rovie inight into how roy network houl be eigne to effectively rotect alication from DoS attack either by hiing their location or rotecting againt reource eletion. Our tuy inten to buil a better unertaning of overlay network caability of location-hiing for DoS attack reitance, rovie intuition of how roy network houl be eigne, an buil te tone for future tuie bae on more comle an realitic moel in thi area, rather than immeiately an comletely olve the DoS roblem. The remainer of the aer i tructure a follow. Section formulate the DoS roblem an introuce our analytical moel. Analytical reult, inight an icuion are reente in Section 3. Section 4 icue the imlication of our analyi. Section 5 relate our work to the other tuie, an then we conclue in Section 6 with a ummary an a ecrition of irection for future work. ANALYTICAL MODEL In thi ection, we evelo an analytical moel for the ytem. Firt, we give an overview of the roy network cheme. Secon, we ecribe the key comonent, incluing the reource ool, the roy network, the attack an the relate efenive mechanim. Thir, we rooe an analytical moel to characterize thee comonent. Thi moel i ue in Section 3 to tuy the DoS roblem.. Proy network cheme Infratructure-level DoS attack target at the IP aree of the victim alication. Toay Internet alication ublih their IP aree (for eamle via DNS) for convenient uer acce via the Internet, but their ublihe IP aree become obviou target in DoS attack. We ue a roy network aroach to are thi roblem. In our aroach, alication o not ublih their IP aree, intea, they hie behin a roy network, an overlay network that run on a reource ool of Internet hot. The roy network hie the IP aree of all the noe inie (incluing internal roie an alication); only roie at the ege ublih their IP aree (ee Figure ). All accee to the alication are meiate by the roy network via ege roie. No one can eaily icover the alication location, thereby reventing infratructure-level attack. Uer Proy Network A Overlay Reource Pool (IP Network) Ege Proy Proy Figure Proy Network Scheme Hot There are two key challenge in the roy network cheme. Firt, the roy network houl hie alication IP aree ecurely. Secon, the roy network itelf houl be reilient to DoS attack, o it can hiel the alication. The econ challenge i more traightforwar; roie can be built a imle element without eritent tate. Without a nee for trong conitency, relication cheme can be ue to tolerate DoS attack. In thi aer, we focu on the firt roblem location-hiing.. Reource Pool an Proy Network Before icuing the attack an the efenive mechanim, we formally ecribe the reource ool an the roy network, an introuce a rigorou terminology. For imlicity, we

3 tuy the cae where there i only one alication. We believe that our analyi can be etene to multile alication haring the ame roy network, but work i beyon the coe of thi aer. The reource ool conit of hot in the Internet. We aume that the hot can communicate irectly if they have each other IP are, an each hot i ientifie by a unique IP are. A noe in the overlay network i either a roy or the alication. When a noe run on a hot, that hot (or it IP are) i calle the location of the noe. We aume each noe ha a unique location at any moment (an injective maing from noe to ho. Two noe are ajacent if an only if they know each other location. Obviouly, ajacent noe can communicate irectly through the unerlying hot at the IP level. We ue a toology grah to rereent the overlay network. Vertice in the grah correon to noe in the overlay; ege correon to the ajacency relationhi. The minimum itance from ege roie to the alication in the toology grah i the eth of the roy network. A concetual view of a roy network with eth 3 i hown in Figure. The toology grah ecribe the connectivity of the overlay network; two noe can communicate at the overlay level if there i a ath between them in the toology grah. More imortantly, the toology grah alo ecribe how the location information i hare among the overlay noe, a critical aect of how ecurely the roy network can hie the alication location, becaue when attacker comromie a roy noe, they can locate all ajacent noe. Proy Network C h 3 A Figure 3 Proy Network Penetration.3 Attack We focu on the ue of roy network for location hiing. Therefore, the mot imortant iue i hot comromie attack, which can enetrate the roy network an reveal an alication location. Other attack are coniere in Section 4. In a ucceful hot comromie attack, attacker can temorarily control the victim hot an teal information from it. A hot uner uch imact i coniere comromie; otherwie it i intact. We overloa the term comromie a roy i comromie if it run on a comromie hot. At the overlay network level, hot comromie attack can reveal the location of overlay noe. For eamle, in Figure 3, when roy A i comromie, attacker eoe the location of roy B. Reeating thi roce, attacker enetrate the roy network an may eventually caue alication eoure, where the alication i eoe to attacker. B A h h Hot Ege Proy Proy At the reource ool level, hot comromie attack can caue reource lo. Unle thoe comromie hot are recovere, they can no longer be ue a intact reource. Hot comromie attack can eventually lea to reource eletion, where intact hot in the reource ool are inufficient for roy network to oerate correctly. Attacker can either act autonomouly (uncoorinate attack) or cooerate (coorinate attack)..4 Defenive mechanim We have two efenive mechanim, each of which correon to the key rik, alication eoure an reource eletion. At the overlay network level, roy network reconfiguration mechanim irut attacker enetration, thereby heling to revent alication eoure; at the reource ool level, reource recovery/reet mechanim convert comromie hot to intact tate, heling to avoi reource eletion. Proy Network Reconfiguration Proy network reconfiguration mechanim ynamically change roie location or tructure of roy network, iruting attacker enetration by invaliating location information eoe by attack. In thi aer, we tuy ranom roy migration, a imle form of roy network reconfiguration. Proie ranomly change their location inie the reource ool, but o not change the toology of the roy network. For eamle, in Figure 3, when roy B migrate from h to another hot, it will notify it neighbor A an C of it new location. With ranom roy migration, roie can move to new location unknown to attacker, therefore iruting attacker enetration. For eamle, uoe attacker eoe roy B when B i on hot h. When B migrate to another hot, attacker information about B become invali (if both A an C are intac. Attacker cannot rocee unle they can icover B current location. In aition, roy migration can move roie from comromie hot to intact hot. We tuy the effectivene of uch cheme to revent alication eoure. Reource Recovery/Reet Reource recovery/reet mechanim at the reource ool level convert comromie hot to the intact tate. There are two triggering olicie, reactive recoverie an roactive reet. In reactive recoverie, comromie hot are only recovere after comromie i uecte or etecte. Proactive reet o not een on etection, an reet hot into the intact tate regarle of their current tate. Eamle of roactive reet inclue timer-triggere reloaing of hot with clean an uto-ate ytem image, uating an creating new creential, Migration of B i only effective when Proy A an C are not comromie at the moment. Both reource recovery/reet an roy reconfiguration can get roie out of comromie tate by either recovering the comromie hot or moving the roy to an intact hot. It i coniere in our analyi. Reet an Recovery here o not imly going back to a reviou tate. They et the hot into a known clean tate with all the known ecurity hole fie. Therefore, future attacker cannot eaily comromie them through the known ecurity hole. 3

4 an o on. We tuy the effectivene of both cheme to revent reource eletion..5 Stochatic Moel Moel of hot comromie attack We moel occurrence of ucceful hot comromie by one attacker a a Poion roce with rate ; i the comromie ee an i the average time to comromie a hot. To kee the moel concie an imle, we aume hot in the reource ool are wiely itribute an o not have highly correlate vulnerabilitie, o that one hot comromie oe not increae the ee of other comromie, even though the attacker are coorinate. Therefore we ue the ame comromie ee for all attack. The robability of comromiing a hot within time t i given by ( e t )( t ). Moel of roy network reconfiguration Proie ranomly migrate in the reource ool. Occurrence of migration event on any ecific roy are moele a a Poion roce with rate. All roie migrate ineenently at the ame rate. Mathematically, the robability of a roy migrating within time interval t i µ e r t ( t ). Moel of reactive recovery Key attribute of reactive recoverie are true oitive ratio an recovery elay. True oitive ratio i the ratio of comromie that are eventually etecte. Recovery elay i meaure from the moment of comromie to the moment of recovery (if the comromie i eventually etecte). In our moel, the true oitive ratio i ρ, an the eecte recovery elay i. Our moel oe not imoe any ecific itribution on the behavior of recovery. Any itribution caturing thee two attribute (ρ an ) will converge to our reult. In thi aer, for the mathematical convenience, a cale eonential itribution i ue. The robability of a reactive recovery ( e t within time t i given by ρ )( t ). Moel of roactive reet We moel roactive reet event on a hot a a Poion roce at rate µ. In other wor, the average interval between two reet on a hot i, an the robability of a µ ( µ e t )( t ) roactive reet within time t i given by. Table Notation of Analytical Moel Notation Meaning See of hot comromie Rate of roy migration / Eecte elay of reactive recovery ρ True oitive ratio of reactive recovery µ Rate of roactive reet Our notation are ummarize in Table. Dicuion We ue Poion roce to ecribe hot comromie becaue it can conciely characterize the ytem with one arameter ee of comromie (). The Poion moel i uitable for tochatic rocee which are tatitically ineenent of the at. When the hot in our ytem are carefully maintaine with all the known ecurity hole fie, Poion moel i a reaonable aroimation. Earlier tuie [, ] alo howe that Poion moel can correctly characterize the behavior of oftware ytem with a mall number of bug. Thi further jutifie of our moel. Becaue little i unertoo analytically about the behavior of ytem uner hot comromie attack, we have choen to ue imle moel that enable analyi an can conciely characterize the key attribute of the ytem a well a buil intuition. At reent, comle moel quickly become intractable an their reult can be har to interret. A an initial te, we ignore many etail of the ytem (for eamle correlate vulnerabilitie among ho to make the analyi tractable. Even though thi may be very ifferent to reality, we believe our analyi till rovie a funamental unertaning of the roblem, which i eential to future tuy bae on more comle an realitic moel. Our tuy inten to buil a te tone for better unertaning of thi roblem, rather than comletely olve the DoS roblem. 3 ANALYTICAL RESULTS Uing the moel efine in Section, we tuy the effectivene of the roy network cheme. We focu on the two form of ucceful attack ecribe in Section.3: - Alication Eoure: How much time will it take attacker to enetrate the roy network an eoe the alication? How o ifferent arameter, uch a ee of hot comromie, ee of reource recovery, rate of roy migration an toology of roy network, affect the effectivene of the cheme? - Reource Deletion: Uner what circumtance it i oible to kee the majority of the hot intact, o that the roy migration cheme make ene? How effective are the reource recovery cheme againt hot comromie attack? 3. Alication Eoure In thi ection, we rove that without roy network reconfiguration, roy network cannot ecurely hie the location of the alication. Then we rove that with ranom roy migration, there eit a cla of roy network that can rovie effective location-hiing. Then we tuy how ifferent arameter affect the effectivene of our cheme (with a ecific roy network toology) an rovie eign guieline. Finally, we icu the imact of roy network toology. In thi ection, we aume that there are ufficient intact hot in the reource ool. The valiity of thi aumtion i tuie in Section 3.. We efine a roy network to be effective if the eecte time for attacker to eoe the alication grow eonentially with the eth of the roy network. In other wor, for 4

5 effective cheme, aing reource can ignificantly imrove ecurity. 3.. Location hiing Reult I: Without reconfiguration, roy network cannot effectively hie the alication location. Proof of Reult I: Conier a ath from an ege roy to the alication a hown in Figure 4. Let T be the eecte time of hot comromie. Without reconfiguration, the location of roie oe not change, an the toology of the roy network oe not change. Attacker only nee to comromie all the roie on a ath to the alication. It i trivial that the eecte time to enetrate a roy network with eth i T ; the eecte time to alication eoure grow linearly with. Reult I follow irectly. Ege Proy 3 Alication Proie Figure 4 Path from ege roy to alication Reult II: If the majority of the hot in the reource ool are intact, with ranom roy migration, there eit a cla of roy network that can effectively hie the location of the alication. Here i an intuitive elanation. Figure 4 how a ath from an ege roy to the alication; i the length of that ath. Initially only the ege roy i eoe, an location of all the other roie an the alication i unknown to attacker. A ecribe in Section.3, attacker can enetrate the roy network tarting from the ege roy. If all the non-ege roie ( to in the figure) can change their location erioically, then it can irut the enetration. For eamle, in Figure 4 if attacker manage to comromie roy, then roy 3 wa eoe at that time. But thi location information i only vali until roy 3 migrate 3, an if attacker cannot comromie roy 3 before that time, they cannot go any further. Intuitively, if the rate of roy migration i higher than the ee of hot comromie, it i har for attacker to enetrate the roy network, becaue roie can almot alway run away before they get comromie. To rove Reult II, we nee Lemma3.. an Prooition3... Lemma 3..: i the eth of a roy network with an arbitrary toology. i the ee of hot comromie, T = - i the eecte time of a hot comromie. i the rate of roy migration ( >). When the majority of the hot in the reource ool are intact, the eecte time for any 3 More reciely, if roy 3 migrate after roy get out of the comromie tate (roy migrate to an intact hot or roy hot i recovere), attacker will loe track of roy 3 location. uncoorinate attacker to eoe the alication i between Θ(( ) ) T an Θ(( ) ) T. Proof of Lemma 3.. i in Aeni I. Figure 5 N ineenent roy chain Prooition 3..: Conier a roy network with a toology grah hown in, where there are N ath from ege roie to the alication, an all the N ath are ineenent (verteijoin. When the majority of the hot in the reource ool are intact, the eecte time for coorinate attacker to eoe the alication i between Ω ( ( ) ) T an ( ) N r Ω ( ) T (the meaning of,, an T i the ame a N ineenent ath Alication in Lemma 3..). Proof of Prooition 3.. i in Aeni II. Proy chain Length Proof of Reult II: Lemma 3.. how that the eecte time for uncoorinate attacker to eoe the alication grow eonentially with the eth of a roy network. Therefore, with ranom roy migration, roy network can effectively reit uncoorinate attack to hie the alication location. Prooition 3.. how that for a cla of roy network hown in Figure 5, the eecte time for coorinate attacker to eoe the alication grow eonentially with the eth of the roy network. Therefore, there eit ome roy network that can effectively reit coorinate attack to hie the alication location. Reult II follow irectly. To illutrate the effectivene of the roy network cheme, let u aume T to be on the orer of ay 4 ; namely, it may take attacker a few ay to comromie a hot. We conier a roy network with eth 6. Without roy network reconfiguration, we know from Reult I that it will take about a few week to eoe the alication. With ranom roy migration, if roie migrate about once a few hour, then it will take attacker hunre of year to eoe the alication. 4 We aume hot in the reource ool are well maintaine an they o not have known bug. Attacker will nee ignificant amount of time to icover an tuy new vulnerabilitie, rather than uing eiting automate attack tool or worm. In reality, it may take hacker more than a few ay (ometime even week or month) to break into remote ytem. N 5

6 3.. Parametric Analyi In thi ection, we tuy how ifferent arameter affect the effectivene of the roy network cheme. Firt Reult III qualitatively ecribe the imact of ifferent arameter. Then an etenive arametric tuy illutrate the imact of each arameter. Reult III: Proy migration rate an eth of roy network are the key factor to to attacker enetration; linear increae in the eth of the roy network eonentially increae the time to alication eoure. Proof of Reult III: Reult III follow irectly from Lemma 3.. an Prooition 3... Eecte Time to Alication Eoure (unit: T ) Eecte Time to Alication Eoure (unit: T ) attacker, Perfect Recovery one attacker, Perfect Recovery attacker, No Recovery one attacker, No Recovery roy chain eth = Proy Migration Rate (unit: comromie ee ) 5 5 attacker, Perfect Recovery one attacker, Perfect Recovery attacker, No Recovery one attacker, NoRecovery roy chain eth = Proy Migration Rate µ (Unit: See of Comromie r ) Figure 6 Imact of Proy Migration Rate To illutrate the imact of ifferent arameter, uch a roy migration rate, roy network eth, ee of reource recovery an number of coorinate attacker, we conier a roy network with a linear chain toology, an lot the eecte time to alication eoure a a function of thee arameter. To unertan the imact of reource recovery cheme, we lot two bounary cae: no recovery an erfect recoverie, which immeiately recover a hot after it comromie. To unertan the imact of coorinate attacker, we lot the two bounary cae attacker an one attacker. attacker correon to the highet enetration ee attacker can achieve on a linear chain with ufficiently many coorinate attacker. One attacker correon to the cae of a ingle attacker. Therefore the lot rovie a et of enveloe for general cae (ifferent reource recovery cheme an any coorinate attack). Figure 6 how how the roy migration rate affect the eecte time to alication eoure (=5 an = reectively a hown in the two grah; i the eth of the roy network). From Figure 6 we can clearly ee the tren that the eecte time to alication eoure ignificantly increae a migration rate increae (note that Y-ai i log cale). In fact, it increae at a olynomial rate with a the eonent. For eamle, when =, by oubling the migration rate, the time to eoure become three orer of magnitue longer. Figure 7 how the imact of roy network eth. Similar to Figure 6, the lot are the bounary cae. The eecte time to alication eoure increae eonentially a the eth increae. For attacker, it mean that each te further into the roy network become eonentially harer than all the work they i before; an will quickly become intractable when eth get fairly large. To illutrate the ee of growth, uoe attacker can comromie a hot in a ay, an roie migrate time a ay. To enetrate a roy network with a eth of 4 may take a few year; a eth of 6 may take a few hunre year; a eth of may take a few million year, which ractically mean it will never haen. Therefore, eth of the roy network i an effective barrier to to attacker enetration. Eecte Time To Alication Eoure (unit: T ) 5 5 inf attacker, No Recovery inf attacker, Perfect Recovery one attacker, Perfect Recovery one attacker, No Recovery / = Proy Chain Length () Figure 7 Imact of Proy Chain Deth From Figure 6 an Figure 7, we can ee that both the roy network eth an the roy migration rate have ignificant imact on the effectivene of the roy network cheme. The eth of the roy chain i the mot ominant factor. Reource recovery cheme an the number of coorinate attacker have limite imact on the overall ecurity. By ajuting the roy migration rate or the roy chain eth, we can amortize the negative imact coming from thoe ource, a long a the majority of hot are intact in the reource ool. However, thi reult oe not imly goo reource recovery cheme are unneceary. Goo recovery cheme are certainly favorable a hown in Figure 6 an 6

7 Figure 7. With better reource recoverie, we can ue a maller roy network eth or a lower migration rate to achieve ame level of ecurity more efficiently. More imortantly, a icue in Section 3., the reource recovery cheme have unique imact at the reource ool level Imact of Proy Network Toology The toology of roy network i imortant. A icue above, the eth of roy network i a ominant arameter. Beie that, the connectivity of roy network alo ha ignificant imact on how much arallelim attacker can eloit to ee u alication eoure. Previou icuion i bae on a ecific cla of roy network toology (Figure 5), where all ath from the ege roie to the alication are ineenent (Claim 3..3). For general toology, we have the following reult. Reult IV: Rich connectivity increae the enetration robability for attacker an horten time to alication eoure. If the connectivity i ufficiently high, the roy network can no longer effectively hie the location of the alication. Intuitively, in a richly connecte toology, there are more ath leaing to the alication. Therefore, there i more arallelim attacker can eloit. Furthermore, verte egree (number of ege that touch the verte) i tyically high in a richly connecte toology. That favor attacker, becaue comromiing one roy can eoe a large number of roie. ege roy Alication A Figure 8 A roy network toology (R=3) A comlete formal roof involve ee mathematic theory. It i beyon the coe of thi aer, an will be aree in our future work. Here we give an informal roof for a ecial cae. Conier a regular grah (Figure 8), where all vertice (ecet the ege roy an the roie ajacent to the alication) have egree R. Attacker enetration can be coniere a a erie of retrial, with the ege roy a the tarting oint. A trial uccee if attacker reach eth. The enetration robability een on the robability of ucce in each trial. We tuy one uch trial an how how verte egree R affect thi robability. For imlicity, we only conier the cae with erfect reource recoverie. B Proy network eth Mathematically, thi roblem i a branching roce [3]. Conier any air of ajacent roie, for eamle A an B in Figure 8. Let q be the conitional robability of B being eventually comromie if A i comromie. Without retrial, it i traightforwar to rove that q =. Alying reult in [3], we can comute the enetration robability. Figure 9 lot how verte egree affect the enetration robability. It how that roy network with higher verte egree are eaier to be enetrate. Penetration Probability Verte Degree of Proy Network Toology (R) = = =4 =8 =6 Deth of roy network i Figure 9 Imact of Verte Degree Furthermore, from the roertie of branching rocee [3], we know that q(r-) i a criticality metric. It i qualitatively ifferent on each ie of the critical oint. In the ub-critical cae (q(r-)<), the eth of the roy network i a theoretical barrier to to enetration; the robability to enetrate a large eth can be arbitrarily mall. On the other han, in the uer-critical cae (q(r-)>), the eth of the roy network i no longer an effective barrier to to attacker enetration; attacker can reach any eth with a non-trivial robability if given enough time. The toologie icue in reviou ection are in fact in the ub-critical cae. When chooing a roy network toology, the ubcritical cae i more favorable. To ummarize Section 3., we firt rove it neceary to have ome form of reconfiguration mechanim in the roy network cheme. Then we rove that our roy network cheme with ranom roy migration can effectively revent attacker enetration an ecurely hie the alication location. With aroriate roy network toologie, the eth of the roy network i a ominant factor to the overall ecurity, an the roy migration rate have a ignificant imact. Chooing thee arameter aroriately can effectively to attacker enetration. Toology of the roy network i alo imortant. Rich connectivity can increae the enetration robability an can qualitatively reuce the effectivene of the roy network cheme. 3. Reource Deletion All the reviou icuion are bae on the aumtion that we can omehow kee the majority of the hot intact. Thi ection tuie the valiity of thi aumtion. 7

8 Reult V: Reactive recoverie alone are inufficient to avoi reource eletion. Reult VI: When roactive reet, which o not rely on etection, are ue, it i oible to kee the majority of hot intact in the reource ool. Percentage of intact hot in reource ool Percentage of intact hot in reource ool =, ρ=.99 =, ρ=.995 =, ρ=.999 Attacker can concurrently attack u to % of the hot (m=.) Time (unit: eecte time to comromie one ho m=. m=.3 m=.5 m=. =, ρ= Time (unit: eecte time to comromie one ho Figure Reource eletion w/o roactive reet Lemma 3..: Aume initially all hot are intact. Let m be the ercentage of hot attacker can concurrently attack, an f( be the eecte ercentage of intact hot in the reource ool. We know f ( C when m C lim f ( = C when m > C t ρ ( ρ) C = ( + + ) µ + µ µ where. ρ ( ρ) C = m m µ + µ µ Proof of Lemma 3.. i in Aeni III. Proof of Reult V: From Lemma 3.., we can ee that when there are only reactive recoverie (µ =), lim f = C = C if ρ<. In t ( = ractice, ρ i alway le than ; therefore all hot will eventually be comromie in thi cae. Reult V i rove. Intuitively, becaue not all intruion are etecte (ρ<), reactive recoverie cannot recover all the comromie hot; the reiue accumulate over time an eventually caue reource eletion. Figure how that even if we have almot erfect etector, which can etect almot all comromie (>99%) an intantaneouly recover all the etecte comromie, the ercentage of intact hot till ro fairly fat an eventually goe zero. It i wore when attacker can attack more hot concurrently or the reource ool i maller. Proof of Reult VI: When the reource ool i ufficiently large uch that m C, from Lemma 3.., we know that the ercentage of intact hot i alway higher than C. By aroriately chooing µ,, ρ an the ize of the reource ool, C can be arbitrarily cloe to. Namely, the majority of the hot are intact in the reource ool. Therefore Reult VI i rove. Percentage of intact hot in reource ool Percentage of intact hot in reource ool Attacker can concurrently attack % of the hot (m=.) µ =. =, ρ=.99 =, ρ=.995 µ =, ρ= Time (unit: time to comromie one ho =, ρ=.999, µ =. m=. m=.3 m=.5 m= Time (unit: eecte time to comromie one ho Figure Reource availability with roactive reet Figure how the imact of roactive reet. A roactive reet at a low rate ( time lower than ee of comromie) i ae to the cae in Figure. Thi mall inut funamentally change the ytem behavior. Now the ercentage of intact hot tabilize at a number cloe to. Namely, the reource ool can kee almot all of the hot intact over infinite time. Thi rove the nee for roactive cheme that o not rely on etection. how that it i oible to avoi reource eletion with roactive reet. The Y-ai i the ercentage of intact hot in a tabilize ytem. It lot the wort cae where attacker can concurrently attack all the hot in the reource ool (m=). It how that even if no reactive recoverie are ue 8

9 ( =, ρ=), roactive reet can till kee a ignificant ercentage of hot intact. With reactive recoverie, roactive reet at fairly low rate can kee mot hot intact. The reactive recoverie hown in are realitic. Reult from [4, 5] how that tate of art intruion-etection ytem can achieve better than thi. Percentage of intact hot in reource ool =, ρ=, m= =, ρ=.5, m= =, ρ=.8, m= =, ρ=.5, m= =, ρ=.8, m= Proactive reet rate (µ ) Figure Proactive reet rate v. intact hot ercentage 3.3 Summary In thi ection, we tuie the effectivene of the roy network cheme, an focue on two threat in articular: alication eoure an reource eletion. We rove it neceary to have reconfiguration in the roy network to hie alication location. Then we rove that with ranom roy migration, our roy network cheme can ecurely an effectively hie the alication location; we alo rove that it i oible to kee mot hot in the reource ool intact. Combining thee reult, we have hown that our roy network cheme i a feaible aroach to ecurely hie alication location, thereby reventing infratructure-level DoS attack. In our tuy, we alo erive following eign guieline.. Proy network eth i a ominant factor to locationhiing; roy migration rate alo ha ignificant imact. With aroriate roy network toology, thee two factor can effectively to attacker enetration.. The toology of roy network i imortant. Surriingly, rich connectivity, a virtue in other circumtance, may reuce the effectivene of roy network. 3. Reactive reource recoverie are inufficient by themelve to avoi reource eletion. Proactive cheme that o not rely on etection are neceary. 4 DISCUSSION We have rove that the roy network cheme i a feaible aroach to location-hiing. Our reult have everal imlication to imilar aroache that ue overlay network to hie the location of imortant noe (ecret noe). Firt, uch overlay network nee to have ome form of reconfiguration to revent attacker enetration. Without it, the aroach i funamentally vulnerable to hot comromie attack. Current aroache, uch a SOS [9] an i3 [], which o not have any active reconfiguration mechanim in the overlay network, have thi weakne. Secon, the ecret noe houl be lace at the core of the overlay network, far away from the ege noe in the toology grah. Caching the IP are of overlay noe to horten the route between overlay noe, a uggete in i3 [], can ecreae the eth of the overlay network, therefore everely unermine the effectivene of the cheme. Thir, the overlay network houl have the leat connectivity neceary to maintain goo connection between the ege noe an the ecret noe. General uroe overlay, uch a Chor [6], that have high verte egree, may not be uitable. We have hown that rich connectivity i not favorable for ecurity. But goo connectivity i neceary to tolerate failure, keeing alication reachable from uer. So there i a balance between ecurity an failure tolerance. How to chooe an otimal toology i art of our future work. Thi aer only bring u the oint that more connectivity in the roy network i not alway goo, an warn againt carele ue of eiting overlay, uch a Chor, that are eigne for comletely ifferent uroe. Lat, to maintain a reource ool of hot, intruion etectionbae reactive recoverie alone are inufficient. Routine maintenance an occaional reet are critical over a long erio of time. Furthermore, all the hot in the reource ool nee to be carefully an ineenently aminitrate, an regularly uate with ecurity atche, o that they are le likely to hare vulnerabilitie. Otherwie, when hot have correlate vulnerabilitie, attacker can eaily comromie a large number of hot in a hort while; it can greatly unermine the effectivene of the cheme. For thi reaon, collecting home PC cattere in the Internet to contruct a reource ool may not be aroriate. We only tuie hot comromie attack in thi aer. Other attack can alo icover alication location. But they are not major threat to the ytem. We briefly ecribe them below. - Traffic analyi on the roy network at Internet cale hel attacker to locate the alication. But we o not conier it a a realitic threat, becaue it require a rohibitive amount of reource an cooeration from major ISP. - Eionage on ecret configuration an eloyment information of the roy network alo hel attacker to locate the alication. We reort to aroriate aminitrative olicie an legilative mean to revent thi tye of attack an unih the eretrator. 5 RELATED WORK Effectively reiting enial-of-ervice attack i an imortant oen roblem. There are many ongoing tuie, which can be categorize into two aroache: reventive an tolerant aroache. Preventive aroache try to to or eter attack from the ource, which inclue Intruion etection ytem 9

10 [7-], network ingre filtering [3] an IP trace-back cheme [4-7]. Tolerant aroache focu on mitigating the attack imact on the victim by mean of ytem reconfiguration [8], reource iolation [8, 9] or loa balance [3-33]. Many reearcher are eloring the ue of overlay network to tolerate or avoi DoS attack. The Secure Overlay Service (SOS) roject [9] in Columbia Univerity i one of them. They ue Chor [6] in the overlay network to rovie ome amount of anonymity to hie the location of ecret ervlet. There are rimitive analytical reult about the ytem ecurity uner imle attack moel uch a DoS attack on iniviual hot. However, the analyi i tie to their Chor-bae SOS eign an they i not conier hot comromie attack, which are the main threat to their cheme. Internet Inirection Infratructure (i3) [] alo uggete the ue of Chor overlay network to hie the location of the alication. They i not conier hot comromie attack an they i not fully analyze the effectivene of their cheme. To our knowlege, our work i the firt attemt of a thorough analyi in thi area. Here we have tuie how to hie alication location. Interetingly a comlementary roblem, hiing uer ientity, ha been well tuie ince the early eightie. The olution range from the early mi erver [34], to itribute Onion Routing cheme [35], an to the more recent Peer-to- Peer cheme uch a Tarzan [36] an Pata [37]. A key ifference between the two roblem i that there are many uer in the ytem while there are only a hanful of alication. Mot of the cheme are bae on the iea of miing all inut from all uer o that an outier cannot aociate a articular meage to a articular uer. Another key ifference i that uer initiate the communication. In ome cheme, uch a Onion Routing [35], ener nee to contruct a route to the receiver before han. Thee key ifference make the two roblem incomarable, an olution in that area o not aly irectly. 6 SUMMARY AND FUTURE WORK We built a formal framework to rigorouly tuy the roertie of the ytem. Bae on our analytical moel, we have the following reult.. Proy network with ranom roy migration can effectively hie alication IP aree; thereby reventing infratructure-level DoS attack.. Proy network eth an internal reconfiguration are critical to reventing attacker enetration. 3. The toology of roy network i imortant. Surriingly, rich connectivity, a virtue in other circumtance, can reuce a roy network ability to hie alication location. 4. Reactive technique for reource recovery are inufficient by themelve to avoi reource eletion. However, roactive cheme can uccefully revent reource eletion. Future work inclue the following.. More etenive tuy on the relationhi between roy network toology an ecurity (hiing alication location) an failure reilience (maintaining connectivity) with the objective of guiing the eign of an otimal roy network toology.. Stuy of other form of roy network reconfiguration which achieve comarable level of ecurity at lower erformance overhea. 3. Stuy of how (DoS or hot comromie) attack on one hot affect other hot in the reource ool, when hot o hare vulnerabilitie (a new comromie moel). REFERENCE. CERT, "Coe Re II:" Another Worm Eloiting Buffer Overflow In IIS Ineing Service DLL.. htt:// 9.html. CERT, "Coe Re" Worm Eloiting Buffer Overflow In IIS Ineing Service DLL.. htt:// 3. CERT, CERT Aviory CA-3-4 MS-SQL Server Worm. 3. htt:// 4. William, M., EBay, Amazon, Buy.com hit by attack.. htt:// 5. Foneca, B., Yahoo outage raie Web concern..htt:// 6. Miller, J., 4 IT buget requet focue on homelan efene, cyberecurity, in Government Comuter New. 3. htt:// 7. Frank, D., Cyberecurity calle key to homelan efene.,fcw.com. htt:// 8. Schneier, F.B., Trut in Cyberace. 999: National Acaemy Pre Keromyti, A.D., V. Mira, an D. Rubentein. SOS: Secure Overlay Service. in ACM SIGCOMM'.. Pittburgh, PA: ACM.. Stoica, I., et al. Internet Inirection Infratructure. in SIGCOMM.. Pittburge, Pennylvania USA.. Littlewoo, B., Preicting oftware reliability. Phil. Tran. R. Soc., : Aam, E.N., Otimizing reventive ervice of oftware rouct. IBM Journal of Reearch an Develoment, (): Harri, T.E., The Theory of Branching Procee. 963: Prentice-Hall Inc. 4. Limann, R.P., et al. Evaluating Intruion Detection Sytem: the 998 DARPA Off-Line Intruion Detection Evaluation. in Proceeing of the DARPA Information Survivability Conference an Eoition.. 5. Limann, R., et al., The 999 DARPA Off-Line Intruion Detection Evaluation., MIT Lincoln Lab 6. Stoica, I., et al. Chor: A Scalable Peer-to-eer Looku Service for Internet Alication. in ACM SIGCOMM'.. 7. Vigna, G. an R.A. Kemmerer, NetSTAT: a network-bae intruion etection ytem. Journal of Comuter Security, (): Aelon, S., Intruion Detection Sytem: A Survey an Taonomy., Chalmer Univerity of Technology: Goteborg, Sween 9. Cowan, C., et al. Automatic Detection an Prevention of Buffer-Overflow Attack. in the 7th USENIX Security Symoium San Antonio, TX.. Kim, G.H. an E.H. Saffor, Eerience with Triwire: Uing Integrity Checker for Intruion Detection. 995, Purue Univerity

11 . Kumar, S. an E.H. Saffor. A Pattern Matching Moel For Miue Intruion Detection. in Proceeing of the 7th National Comuter Security Conference Wagner, D. an D. Dean. Intruion etection via tatic analyi. in IEEE Symoium on Security an Privacy.. Oaklan, CA, Unite State: Proceeing of the IEEE Comuter Society Symoium on Reearch in Security an Privacy.. 3. Ferguon, P. an D. Senie, Network Ingre Filtering: Defeating Denial of Service Attack which emloy IP Source Are Soofing. The Internet Society, Snoeren, A.C., et al. Hah-bae IP traceback. in ACM SIGCOMM - Alication, Technologie, Architecture, an Protocol for Comuter Communication-.. San Diego, CA, Unite State: Comuter Communication Review. v 3 n Song, D.X. an A. Perrig. Avance an authenticate marking cheme for IP traceback. in th Annual Joint Conference of the IEEE Comuter an Communication Societie.. Anchorage, AK, Unite State: Proceeing - IEEE INFOCOM. v. 6. Stone, R. An IP Overlay Network for Tracking DoS Floo. in the USENIX Security Symoium.. Denver, CO. 7. Savage, S., et al., Practical network uort for IP traceback. Comuter Communication Review,. 3(4): Mutable Service, New York Univerity. htt:// 9. Sacheck, O. an L.L. Peteron. Defening Againt Denial of Service Attack in Scout. in The 3r ymoium on oerating ytem eign an imlementation Welh, M., D. Culler, an E. Brewer. SEDA: An Architecture for Well- Conitione, Scalable Internet Service. in The 8th ymoium on Oerating Sytem Princile.. 3. Robut Network, Princeton Univerity. htt:// 3. Webhere Ege Service Architecture, IBM. htt://www-3.ibm.com/oftware/weberver/egeerver/oc/earchitecture.f 33. Network Loa Balancing Technical Overview -- Microoft Alication Center, Microoft Cororation. htt:// nol/ac/default.a 34. Chaum, D.L., Untraceable Electronic Mail, Return Aree, an Digital Peuonym. Communication of the ACM, 98. 4(): Ree, M.G., P.F. Syveron, an D.M. Golchlag, Anonymou Connection an Onion Routing. IEEE Journal on Selecte Area in Communication Secial Iue on Coyright an Privacy Protection, Freeman, M.J., et al. Introucing Tarzan, a Peer-to-Peer Anonymizing Network Layer. in t International Workho in Peer-to-Peer Sytem (IPTPS').. Cambrige, Maachuett. 37. Elnikety, S., et al., Pata: Anonymou Peer-to-Peer Sytem., Rice Univerity APPENDIX I. PROOF OF LEMMA 3.. In thi cae, we conier a ingle attacker who attack one hot at a time. Since no roie run on ame hot at the ame time, at mot one roy can be uner attack at any moment in thi cenario. We conier a ath from an ege roy to the alication a hown in Figure 4. The Markov tate tranition grah i hown in Figure 3. Figure 3 Markov State Tranition (One Attacker) i the robability of comromiing one hot within unit time t ( - i the eecte time of comromiing a ho; µr i the robability of a roy migration within unit time. In tate, only the ege roy i eoe. In tate k ( k ), the kth roy i comromie. In tate k ( k<), the kth roy i not comromie, but the (k+)th roy i eoe. We tuy the eecte time from tate to reach tate n in two bounary cenario: no recovery an erfect recovery. When there i no recovery, a roy will tay comromie until it migrate. With erfect recovery, hot are intantaneouly recovere (in the tate tranition grah, tate k goe to tate k with robability ). (A) No Recovery T k enote the eecte time to reach tate n from tate k (k ). Obviouly, T = an we want T. It i traightforwar to get a et of linear equation: T = + T + ( ) T T = + T + ( ) T T' = + T + µ rt + ( µ r ) T' Tk = + Tk + + µ rtk ' + ( µ r ) Tk Tk ' = + Tk + + µ rt + ( µ r ) Tk ' From (I), we get Tk b k bk + bkt = + ( + ) µ r = = k + Solve (II), we have T + ( b ( k = ) k ) T ( < k < n) = y y ( y ) ( k < ) (I) (<k<). (II)., where y =. ( + ) + (B) Perfect Recovery Similar analyi can lea u to a et of linear equation in the ame form a (II), but in thi cae T - = - b k = + ( + ). µr µr µr µr µr No Recovery - - µr µr µr Perfect Recovery. Solving it, we get

12 µ r µ µ r r = = lim = an lim = = T. So t t T Θ(( T Θ(( ) ) T T = Θ(( ) ) T for Reult from (A) an (B) hol for any unit time t. Therefore, we have = for erfect recovery an no recovery. Lemma 3.. i rove APPENDIX II. PROOF OF PROPOSITION 3.. Firt we rove the following Lemma. Lemma II.: Conier a roy network with a linear chain toology a hown in Figure 4. Let be the length of the chain. i the ee of hot comromie, an T = - i the eecte time of a hot comromie. i the rate of roy migration ( >). When the majority of the hot in the reource ool are intact, the eecte time for coorinate attacker to eoe the alication i between Θ (( ) ) T an Θ (( ) ) T. Proof of Lemma II.: In thi cae, we aume attacker can concurrently attack all the eoe roie an the roy network i a linear chain of roie a hown in Figure 4. Markov tate tranition grah i hown in Figure 4. We ue the ame et of notation a in Aeni I. - µr µr µr - µr µr No Recovery - µr - µr µr Perfect Recovery. With the ame metho ue in Aeni I, we can get = ) ) T for erfect recovery an T = Θ(( ) ) T for no recovery. Eecte Time * Number of Path Eecte Time * Number of Path Deth = 3 Deth = 4 Deth = 5 Deth = 6 Deth = 7 Deth = 8 / =, erfect recovery 3 4 Number of Path Deth = 3 Deth = 4 Deth = 5 Deth = 6 Deth = 7 Deth = 8 /=, No Recovery 3 4 Number of Path Figure 4 Markov State Tranition (Multile Attacker) (A) No Recovery From the tate tranition grah, we can get T = + T + ( ) T T = + T + ( ) T T' = + ( T + T ) + µ rt + ( µ r ) T' T k = + Tk + + µ rtk ' + ( µ r ) Tk ( k > ) Tk ' = + ( Tk + + Tk ) + µ rtk ' + ( µ r ) Tk ' we get T ( ) ( ) ( ) + = ( + + ( ) (( ) ) + ( ) + ) + ( ) where =. Solve it, (B) Perfect Recovery With imilar analyi, we get T = + ( + )( ) + ( + )( ), where ( ) Figure 5 Imact of Ineenent Path Now we tuy a roy network with toology hown in. A general roof i beyon thi aer. Here we reent a et of numerical reult in Figure 5 to valiate Prooition 3... From the Markov tate tranition grah in Figure 4, we can obtain the tranition matri. Uing thi matri, we numerically comute the eecte time of alication eoure. T an T are reectively the eecte time to alication eoure when attacker enetrate from one ath an when attacker enetrate from N ineenent ath. In Figure 5, the X-ai i number of ath N, an the Y-ai i N*T. From the figure we know that N*T T for both bounary cae. We claim (without roof) that N*T T i true for any general cae within the bounary. Uing Lemma II., we know that T i between Θ (( ) ) T an Θ (( ) ) T. Therefore, Prooition 3.. follow. APPENDIX III. PROOF OF LEMMA 3.. Figure 6 how the tate tranition grah of hot in the reource ool. f( enote the eecte ercentage of intact hot in the reource ool; g( enote the eecte ercentage of the comromie hot that can eventually be etecte; an h( enote the eecte ercentage of comromie hot that can never be etecte. m i the ercentage of hot concurrently attacke. There are two cae: m>f(, enote a worl Φ an f( in thi cae i enote by f Φ (; m f(, enote a worl Φ an f( in thi cae i enote by f Φ (. In worl Φ, attacker can concurrently attack all intact hot; in worl Φ, m boun attacker caability.

13 ρ f( +µ (-ρ) µ h( g( III., t> f( C C m, therefore it tay in Φ. The firt art of Lemma 3.. i rove. ) When m>c, imilarly we can get m>c >C. From Lemma III. an III. we know that t * uch that t>t * f(=f Φ (. Therefore lim f ( t rove. = lim fφ t ( = C. The econ art of Lemma 3.. i Figure 6 State Tranition Grah We firt rove lemma III. an lemma III.. Lemma III.: lim fφ ( = C t ρ where C = ( + µ + µ when ( ρ) + ) µ. f()+g()+h()=, Proof: From Figure 6, we can get the following ifferential equation: f ( t g( t = f ( + ( µ + µ ) g( + µ h( = ρf ( ( µ + µ ) g( h( = f ( g( Solve them, an we can get the following reult: ϕt ϕ t fφ ( = A e + Be + C, where ϕ < an ϕ < ρ ( ρ) an C = ( + + ). Thi reult hol when + µ µ f()+g()+h()=. C, ϕ, ϕ, A, B are all contant, then Lemma III. follow. Lemma III.: ρ ( ρ) lim f t C m m t Φ ( ) = = µ + µ µ f Φ ()=, g()=h()=, then for any t>, f Φ ( C.. Furthermore, if Proof: From Figure 6, we can get the following equation: f ( = m + ( + µ ) g( + µ h( t g( = ρm ( + µ ) g( t h( = f ( g( Solve them, we have µ t ( + µ ) t fφ ( = Ae + Be + C where B C ( ρ) A = m h() µ ρ = m g() ( + µ ) ( ρ) ρ = m m µ ( µ + µ ) If g()=h()=, then A > an B >; therefore, for any t>, f Φ (>C. Proof of Lemma 3..: ρ ϖ = ( µ + ( ρ) Let +, µ ) µ o C = an C =-ϖm. +ϖ ) When m C, with ome algebra we can get C C. Becaue m< an f()=, f( tart in worl an tay there a long a f( m. From Lemma 3